Outbound network access destinations for Azure

If you have limited outbound internet access (for example due to using a firewall or proxy), review this content to learn which specific outbound destinations must be available in order to register a CDP environment.

The following list includes general destinations as well as Azure-specific destinations:

Description/Usage CDP service Destination Protocol and Authentication IP Protocol/Port Comments
Cloudera CCM

Persistent Control Plane connection

All services IP:

Hostname pattern: *.ccm.cdp.cloudera.com

SSH public/private key authentication TCP/6000-6049 One connection per cluster configured; persistent.
Cloudera Databus

Telemetry, billing and metering data

All services dbusapi.us-west-1.altus.cloudera.com


HTTPS with Cloudera-generated access key TCP/443 Regular interval for telemetry, billing, metering services, and used for Workload Manager if enabled.
Control Plane API DataFlow,

Machine Learning,

Data Engineering

api.us-west-1.cdp.cloudera.com HTTPS with Cloudera-generated access key TCP/443 Cloudera’s control plane REST API.
Cloudera Manager parcels

Software distribution

Data Hub,

Data Lake,

Operational Database

Data Engineering

archive.cloudera.com HTTPS TCP/443 Cloudera’s public software repository. CDN backed service; IP range not predictable.
Docker Images

Software Distribution

Data Engineering,


Machine Learning



HTTPS TCP/443 Cloudera’s public docker registry. CDN backed service; IP range not predictable.
Docker Images

Software Distribution


Data Warehouse

Data Engineering

container.repo.cloudera.com *.s3.<region>.amazonaws.com



Additionally, the following are required only for old/existing DW environments:












HTTPS TCP/443 Moved to container.repo.cloudera.com

container.repo.cloudera.com uses ECR which requires S3 URLs.

Network Time Protocol Synchronization DataFlow [0-3].pool.ntp.org Network Time Protocol UDP/123 Container services require access to Network Time Protocol servers in order to maintain synchronization of date and time status.
General Azure guidelines All See Safelist the Azure portal URLs on your firewall or proxy server for Azure egress best practices.
Azure Kubernetes Services (AKS) Data Warehouse,

Machine Learning,

Data Engineering

See Control egress traffic for cluster nodes in Azure Kubernetes Service (AKS).
Azure Data Lake Storage Gen 2 Data Lake,

Data Hub,

Operational Database,

Data Engineering

<storage account name>.dfs.core.windows.net HTTPS

Azure authentication

TCP/443 Azure Storage VPC endpoint is required (Microsoft.Storage).
Azure Database for Postgres Data Lake,

Data Hub,

Data Warehouse,

Machine Learning

*.postgres.database.azure.com JDBC / Postgres binary protocol TCP/5432 Azure SQL VPC endpoint is required (Microsoft.Sql).
ARM to manage User Assigned Managed Identities Data Lake management.azure.com HTTPS

Azure authentication

TCP/443 This can be allowed by using the AzureResourceManager Azure service tag. Additionally IP addresses to whitelist are available to download.
Microsoft Log Analytics All *.agentsvc.azure-automation.net





Azure authentication

TCP/443 Optional; but may cause issues with Azure approved images if blocked.
Azure Database for MySQL Data Engineering *.mysql.database.azure.com JDBC / Postgres binary protocol TCP/3306 Azure Database for MySQL
Azure files Data Engineering *.file.core.windows.net SMB TCP/445 What is Azure Files?
Digicert CA Certificate Data Engineering www.digicert.com



Azure authentication

TCP/443 Fetching TLS CA for Azure MySQL DB secure connection